OBD-ME

View project on GitHub

Security

Home || Security || Materials/References || About Us

Notes on Security of OBD Devices

We want to provide a brief note on the security considerations of our application. There are 3 primary categories of OBD tools. The first is a reader that reads all hex codes traveling over the bus. The second is a scanner - what we’re using. A scanner queries the car (the main computer/hub), and it responds with the requested data. It is read only (except for requests that get sent for data), and anything that isn’t formatted as a valid request is dropped by the chip. These types of OBD devices can still be sniffed. However, there isn’t any data that can be sniffed that you couldn’t get by looking at the car or through its windows. There is an occasional report of finding a back door in specific devices. However, it has so far been isolated to specific device lines and not the primary OBD scanner chip (ELM327). Lastly, for anyone to even be able to interface with these devices, it would need to be either through Bluetooth or a physical wire, and the vehicle would have to be powered on. This imposes physical range limits. On top of that, Bluetooth requires a password (though manufacturers usually make it 1234 or something similarly easy). The last type of device is an OBD spoofer. This is not the technical name for it, but these aren’t exactly widely used because of obvious security risks. These are tools that allow you to actually control and manipulate your car. They pretend to be a part of your car and can be used to splice and add data to the bus.

If someone truly wanted to hack your car, they most likely wouldn’t do it through the OBD port. Most cars have much greater security risks than the OBD port, since the system as a whole wasn’t designed with security in mind. There are examples of cars being controlled over cellular from anywhere in the world. There are readily available wires that anyone can access on a car where all you have to do is connect a device smaller than the palm of your hand to be able to control the car. There are much simpler ways to hack a car than through an OBD scanner. The good news is that car manufacturers are starting to make security more of a priority, and currently, there are much cheaper ways to steal cars than by hacking them. Because of this, the security risk that our app provides, by using an OBD scanner, is extremely small when compared to the risks that are already present in a car. We are also using proper data hiding methods in our app to keep it as secure as possible. While we do admit that the security isn’t perfect, in our opinion the blame falls primarily on the car manufacturers for their lack of concern when it comes to these preexisting security vulnerabilities.